   package com.example.demo.config;

   import com.example.demo.filter.JwtRequestFilter;
   import com.example.demo.service.UserDetailsServiceImpl;
   import org.springframework.beans.factory.annotation.Autowired;
   import org.springframework.context.annotation.Bean;
   import org.springframework.context.annotation.Configuration;
   import org.springframework.security.authentication.AuthenticationManager;
   import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
   import org.springframework.security.config.annotation.web.builders.HttpSecurity;
   import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
   import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
   import org.springframework.security.config.http.SessionCreationPolicy;
   import org.springframework.security.crypto.password.NoOpPasswordEncoder;
   import org.springframework.security.crypto.password.PasswordEncoder;
   import org.springframework.security.web.SecurityFilterChain;
   import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

   import java.util.List;

   @Configuration
   @EnableWebSecurity
   public class SecurityConfig {

       @Autowired
       private UserDetailsServiceImpl userDetailsService;

       @Autowired
       private JwtRequestFilter jwtRequestFilter;

       @Bean
       public PasswordEncoder passwordEncoder() {
           // 返回 NoOpPasswordEncoder 用于处理 {noop} 密码
           return NoOpPasswordEncoder.getInstance();
       }

       @Bean
       public DaoAuthenticationProvider authenticationProvider() {
           DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
           provider.setUserDetailsService(userDetailsService);
           provider.setPasswordEncoder(passwordEncoder()); // 设置为 NoOpPasswordEncoder
           return provider;
       }

       @Bean
       public AuthenticationManager authenticationManager(HttpSecurity http) throws Exception {
           return new org.springframework.security.authentication.ProviderManager(List.of(authenticationProvider()));
       }

       @Bean
       public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
           http
                   .authorizeHttpRequests((authz) -> authz
                           .requestMatchers("/auth/login").permitAll() // 允许未认证请求访问登录API
                           .requestMatchers("/api/personalinfo/**").hasAnyRole("ADMIN", "USER") // 所有个人资料相关的请求都需要认证
                           .requestMatchers("/api/personalinfo").hasRole("ADMIN") // POST 请求需要 ADMIN 角色
                           .requestMatchers("/api/personalinfo/{id}").hasRole("ADMIN") // PUT 和 DELETE 请求需要 ADMIN 角色
                           .requestMatchers("/api/personalinfo/all").hasRole("ADMIN") // GET /all 请求需要 ADMIN 角色
                           .requestMatchers("/api/personalinfo/{id}").hasAnyRole("ADMIN", "USER") // GET 请求可以由 USER 或 ADMIN 完成
                   )
                   .formLogin(AbstractHttpConfigurer::disable)
                   .logout(logout -> logout // 配置默认的登出机制
                           .logoutUrl("/logout")
                           .permitAll()
                   )
                   .csrf(AbstractHttpConfigurer::disable) // 禁用CSRF保护，因为Postman不会处理CSRF令牌
                   .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) // 使用无状态会话管理
                   .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class); // 添加 JWT 过滤器

           return http.build();
       }
   }
   